Written By:
Caleb Coggins: Director of Compliance Services
Mark Repka: Security Consultant
Michele Adelaar: Security Consultant
Testing your Incident Response Plan as discussed last week is critical and an external requirement for some organizations (e.g., PCI DSS compliance). For PCI, testing must occur at least annually and include lessons learned postmortem to update or evolve the plan. The two common IR test methods are a Tabletop Exercise and Functional Exercise (Simulated Attack). Your test approach should align with the steps documented in your IR Plan, regardless of the testing method you have selected.
As outlined in NIST SP 800-84, the following steps help an organization to prepare for and conduct a test of its Incident Response Plan and procedures.
As with many cyclical, iterative processes, the Incident Response Lifecycle does not officially end. After the completion of a test, after action items may be assigned to personnel for continued improvement and in preparation for the next periodic IR test. One of the interesting results of an IR test is the identification of gaps in procedure or tools. Where are the blind spots within our organization’s logging and monitoring solutions? Are our procedures sufficiently detailed and clear, so that responders understand what needs to be done, in a given situation? Organizations increasingly rely on playbooks to define (and automate) responses to predictable events. These playbooks may originate externally and be modified to conform to an organization’s unique characteristics. For example, the Cybersecurity and Infrastructure Security Agency (CISA) has a Ransomware Guide resource that is publicly available and useful guidance for security controls preparation, IR planning, and IR response procedures.
Join Us Next Week
As we continue our series with what an Incident Response Plan actually looks like.
View part 3 - What does an Incident Response Plan look like?
Here at MegaplanIT, we have decades of experience handling incident response plans, testing, and analysis of threats to production environments. Our SOCaaS can aid you in identifying and responding to security events and malicious activities within your environment. Our dedicated consultants advise on incident response plan scenarios, custom-tailored to your organization, minimizing impact to your team while maintaining the maximum return on investment. Reach out today, for assistance with creating a test or reviewing processes for compliance.
Leave Comment